How to choose full disk encryption for laptop security, compliance

Full disk encryption is becoming a priority for laptop security in midmarket companies because of regulatory compliance and fear of data breaches. Consider central management, ease of deployment, user transparency, reporting, platform support and price to evaluate laptop encryption products.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

full disk encryption for laptop security and to address the security of sensitive data that is mobile and easily shared, lost or stolen.

While most regulations don't specifically require laptop encryption software or hardware, compliance is the hammer that is driving midmarket companies to deploy full disk encryption on employee laptops. State data breach laws are perhaps the most compelling, but you're running at high risk for HIPAA, GLBA and PCI DSS non-compliance if you don't encrypt. Massachusetts' personal information law, 201 CMR 17.00, scheduled to go into effect next March, requires laptop encryption for any company holding Massachusetts resident's personal information.

There are a number of good commercial products on the market, so once you decide to deploy FDE on corporate laptops, there are several key evaluation areas:

Central management. Again, given limited resources for a large number of users, this is essential for the midmarket. In particular, key management is otherwise a very manual process, requiring spreadsheet tracking and securing that information from prying eyes. These products typically take most of the pain out of this chore.

"If you want to use a free solution like TrueCrypt, at 10 users, you're probably good," said Jon Oltsik, senior analyst at Enterprise Strategy Group. "When you get into the hundreds of employees, you want something with management muscle behind it."

The product should automatically do symmetric key encryption and store the keys locally. Neither the user nor the admin need be concerned with them again. A master key is created to give authorized management access to encrypted drives to reclaim data from laptops of terminated employees or for legal purposes.

"With no centralized key recovery scheme, each user is on his own or the admin has to make up his own recovery system," said Tim Matthews, vice president of marketing at PGP Corp. "That's not very economical and rife with security issues."

Note: A strong password policy is critical. Encryption is useless if the password is cracked. People also tend to forget strong passwords, so your product should allow easy recovery. One common feature is a complex one-time password that the admin can deliver to the user out-of-band. Most products also have self-service password reset options, requiring the user to answer challenge questions.

If you need stronger authentication for some or all your users, look for products that integrate easily with two-factor authentication products, such as tokens or biometrics. .Reporting. This doesn't have to be elaborate, but you need to be able to prove that all your laptops, particularly those that fall under regulatory control, are encrypted. For example, if you are subject to PCI DSS, you can generate a report that says, "I'm covered." Similarly, if a laptop is lost or stolen, the report verifies the drive was indeed encrypted, relieving your company of that costly disclosure requirement.

User transparency. The end user shouldn't even know his drive and its data have been encrypted. You don't want to deal with help desk calls. Users may notice some slowdown during the initial installation, but they probably won't notice any ongoing performance impact. .

Platform support. If you have Mac laptops, make sure the product works with those, with the same management console.

Additional capabilities. FDE products often include device/port control features, such as policy-based management of portable storage devices. Increasingly, vendors are offering suites that include data loss prevention and endpoint security, including their antimalware products. If you are looking at adding these capabilities, now or in the future, focus on those companies that offer them and evaluate how well they integrate all these products.

Price. In the final analysis, most of the well-known commercial products will meet your FDE requirements, and it may come down to who offers the best deal. Figure somewhere in the area of $25 a seat.

Free alternatives such as TrueCrypt won't have the central management, mass deployment or reporting you need. Management, key storage and password recording will be done manually, and you'll need a power user admin to install the software and track and manage updates.

If you were one of those companies that upgraded to Vista, the Ultimate and Enterprise editions include BitLocker encryption. It can be managed with Active Directory and Group Policy, but installation and management are more cumbersome than third-party encryption products. BitLocker will also be available with Windows 7.

You can pay a premium for laptops with encrypted hard drives, which means you don't need to install client software on each machine. However, you still need software for key management and reporting.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy